Infoblox has published a second threat report with critical updates on “Decoy Dog,” the remote access trojan (RAT) toolkit they discovered and disclosed in April 2023. The malware uses DNS to establish command and control (C2) and is suspected as a secret tool used in ongoing nation-state cyber attacks.
The threat actors swiftly responded following Infoblox’s disclosure of the toolkit, adapting their systems to ensure continued operations, indicating that maintaining access to victim devices remains a high priority. The analysis shows that the use of the malware has spread, with at least three actors now operating it. Although based on the open-source RAT Pupy, Decoy Dog is a fundamentally new, previously unknown, malware with many features to persist on a compromised device. Many aspects of Decoy Dog remain a mystery, but all signs point to nation-state hackers. Infoblox released a new data set containing DNS traffic captured from Infoblox’s servers to support further industry investigation of the C2 systems.
The question many in the industry continue to silently ask is: Are we really securing our network if we’re not monitoring our DNS? There is a significant risk that Decoy Dog and its use will continue to grow and impact organizations globally. Currently, the only known means to detect and defend against Decoy Dog/Pupy today is with DNS Detection and Response systems.
“It’s intuitive that DNS should be the first line of defence for organizations to detect and mitigate threats like Decoy Dog. Infoblox is the industry’s best-of-breed DNS Detection and Response solution, providing companies with a turn-key defence that other XDR solutions would miss,” said Scott Harrell, Infoblox President and CEO. “As demonstrated with Decoy Dog, studying and deeply understanding the attacker’s tactics and techniques allows us to block threats before they are even known as malware.”
Through large-scale DNS analysis, Infoblox has learned key features of the malware and the actors who operate it. Directly following the first announcement on social media, every Decoy Dog threat actor responded to Infoblox’s disclosures in different ways. Some of the name servers mentioned in Infoblox’s April 2023 report were taken down, while others migrated their victims to new servers.
Despite their efforts to hide, Infoblox has continued to track the activities and has since learned a great deal more about them. Infoblox has been able to infer the nature of some communications and estimates that the number of compromised devices is relatively small. Infoblox has also been able to distinguish Decoy Dog from Pupy and determine that Decoy Dog has a full suite of powerful, previously unknown capabilities, including the ability to move victims to another controller, allowing them to maintain communication with compromised machines and remain hidden for long periods of time. Some victims have actively communicated with a Decoy Dog server for over a year.
“The lack of insight into underlying victim systems and vulnerabilities being exploited makes Decoy Dog an ongoing and serious threat,” said Dr. Renée Burton, Head of Threat Intelligence at Infoblox. “The best defence against this malware is DNS. Malicious activity often goes unnoticed because DNS is undervalued as a critical component in the security ecosystem. Only enterprises with a strong protective DNS strategy can protect themselves from these types of hidden threats.”
In total, Infoblox is currently monitoring 20 Decoy Dog domains, some of which were registered and deployed within the last month. This toolkit exploits an inherent weakness of the malware-centric intelligence ecosystem that dominates the security industry today. Furthermore, this malware was discovered solely because of DNS threat detection algorithms. Organizations’ best defence against these attacks is protection at the DNS level, within every network.
“We urge the industry to take this research forward, further investigate and share their findings,” added Harrell. Hands-On, Real-Life Experience of Pupy at BlackHat: Dr. Renée Burton will be discussing why “Decoy Dog is No Ordinary Pupy” in detail, along with other key findings at the Black Hat cybersecurity conference in Las Vegas on Wednesday, August 9 from 1:15 pm-1:35 pm PT.
Throughout the conference, attendees will be able to meet with Infoblox researchers and demonstrate their skills with a series of hands-on challenges using a live Pupy controller via Infoblox’s Double Dog Dare experience. Additional short introductions to Decoy Dog and Pupy will be held at the booth theater both days. This unique experience will allow participants to see firsthand how the DNS traffic is used to relay communications between the client and server to better understand the serious threat this malware poses.
The Hidden Potential of DNS in Security: Decoy Dog and Pupy take advantage of the lack of DNS oversight that often occurs in networks. In fact, over 90% of all malware uses DNS in some way. Infoblox knows it’s imperative that security professionals understand the ways in which malware exploits DNS and how DNS Detection and Response can often thwart these attacks. Experts in the field recently released a new book titled “The Hidden Potential of DNS in Security.” This book gives readers everything they need to know about lookalike domains, domain-generated algorithms (DGAs), DNS tunnelling, data exfiltration over DNS, why hackers use DNS, and how to defend against these attacks.